Earlier this month, the House Intelligence Committee introduced a bill promoting shared cyber security information between the government and corporations. The bill exempts companies from liability for voluntarily disclosing hacking incidents and gives corporations access to data from the National Security Administration to help protect their networks.
Who’s For the Bill
Representative Mike Rogers, the chairman of the House Permanent Select Committee on Intelligence, stated that “Through hard work and compromise we have struck a delicate balance that provides strong protection for privacy and civil liberties, while still enabling effective cyber threat sharing and providing clear authority for the private sector to defend its own networks.”
Internet, cable, and telecommunication companies like Verizon and Comcast support the bill as it creates strong incentives for the private sector to cooperate with the government on a voluntary basis. Corporations also have access to classified intelligence on cyber security threats so they can protect their own networks.
This philosophy of “sharing is caring” or, better put, “sharing stops hacking” has been key in the anti-fraud world, where early warnings have helped to reduce fraud. The success of this could provide for a good benchmark going forward with this bill.
Who’s Against the Bill
Members of the administration and privacy groups are arguing against the bill, stating that the generous liability and antitrust protections could limit the government’s ability to protect citizens due to the lack of corporate accountability. As Michelle Richardson, legislative counsel for the American Civil Liberties Union, states, “The concern is that the government will be able to create records of people’s Internet use in the name of cyber security.”
The information presented to the government would be shared without a court order, and some incidental data might be transferred to the government. Companies could require that their security providers remove any reference to the firm’s name, employees or customers before sharing with the government, however this is left to the company’s own discretion.
For You and for Your Business
Cyber security is an ever-present issue no matter how big or small your business. However, many security attacks can be traced to a lack of diligence within an organization or a lack of understanding of how to accurately create a plan and process around protecting your network, as shown through this recent Healthcare report.
Whether or not this bill gets passed, in order to protect your business from an attack and likewise to protect yourself from having to reveal data to the government, here are our tips on how to arm your company and yourself against cyber attacks.
- Assume it’s a matter of if, not when.
There are many reports available in the public domain, mostly with disturbing statistics, like more than 90% of respondents to a Security Megatrends Survey admitting their companies have been victims of a cyber attack. That’s 10:1 odds that an attack WILL happen. Seems like a bad bet.
- IPD/IPS is not enough.
Intrusion detection and prevention systems, though valuable, are not enough. Even with these protections in place, significant breaches still occur. It’s in the news all the time. IDS/IPS must be augmented with ongoing, 24×7, network recording and analysis. When a breach does occur, network recordings can be replayed and analyzed, providing the very best information to address the breach, including the ability to address the five key questions that need to be addressed whenever a breach occurs.
1. Who was the intruder?
2. How did the intruder penetrate security?
3. What damage has been done?
4. Did the intruder leave anything behind?
5. How can we prevent this attack from reoccurring?
- Technology is not enough.
Though technology is an instrumental part of any security solution, technology alone isn’t enough. Good old-fashioned policies and procedures must be established and enforced. More and more studies are indicating that Advanced Persistent Threats (APTs), which are becoming the most common form of attacks, often result from risky behaviors from within the network. Controlling and monitoring each individual user is not realistic, but a well-documented and socialized security plan can help users identify, and hopefully refrain from, risky behavior, especially if the magnitude of the risks is also made clear.
Regardless of the outcome of the Cyber Intelligence Sharing and Protection Act, the best approach is to make every effort possible to prevent an attack from happening. Then, you won’t have worry about whether or not, and how, you want to share your cyber security data with the government.